Working Group

Application Containers and Microservices

This working group is a subgroup of the DevSecOps working group. The mission of this subgroup is to conduct research on the security of application containers and microservices and publish guidance and best practices for the secure use of application containers and microservices.
Microservices Architecture Pattern
Microservices Architecture Pattern


Application Containers and Microservices
Application containers and a microservices architecture, as defined in NIST SP 800-180, are being used to design, develop and deploy applications leveraging agile software development approaches such as DevOps. The security of application components needs to be considered throughout the Software Development Life Cycle. The use of containers and microservices have been increasingly implemented in organizations. This increase in popularity can be attributed to the ease with which they move through a lifecycle allows for efficient restart, scale-up or scale-out of applications across clouds. However, these unique characteristics also mean there are distinct security ramifications which must be considered.

What are microservices?
The next evolution of the application architecture is the “service-oriented architecture” (SOA). In SOA, the entire gamut of solutions (e.g. supporting a business process) is broken up into multiple parts or components called services. The design of a microservices architecture is intended to address the limitations of SOA by enabling the individual microservices to communicate with each other using lightweight protocols such as Representational State Transfer (REST). Furthermore, the individual microservices can be developed in platforms best suited for them, allowing for heterogeneity in addition to independent scalability and deployment due to loose coupling between individual microservices. 

What are the security risks associated with microservices?
This new approach presents new security challenges such as an increased attack surface due to an increase in the number of components and secure service discovery as a result of the dynamic nature of service instance due to location changes.

Who should read the research produced by this group?
This group assumes that readers have some knowledge of operating system, networking, and security expertise, as well as expertise with application containers, microservices and agile application development approaches such as DevOps.

Please note that this project is a subgroup of the DevSecOps working group. To participate you can join our DevSecOps community and let the leaders know you are interested in this particular area of DevSecOps.

Working Group Leadership

Anil Karmel Headshot
Anil Karmel

Anil Karmel

Co-founder and CEO

Anil is co-chair of the CSA Application Containers and Microservices working group and has led the development of multiple research artifacts, building off the work started in the NIST Cloud Security working group. He is president of the CSA DC Metro Area Chapter, which he has transformed from a dormant chapter into one of North America’s most a...

Read more

Andrew Wild Headshot
Andrew Wild

Andrew Wild

This person does not have a biography listed with CSA.

Publications in ReviewOpen Until
Third-Party Vendor Risk ManagementJun 13, 2022
View all
Who can join?

Anyone can join a working group, whether you have years of experience or want to just participate as a fly on the wall.

What is the time commitment?

The time commitment for this group varies depending on the project. You can spend a 15 minutes helping review a publication that's nearly finished or help author a publication from start to finish.

Open Peer Reviews

Peer reviews allow security professionals from around the world to provide feedback on CSA research before it is published.

Learn how to participate in a peer review here.

Third-Party Vendor Risk Management

Open Until: 06/13/2022

The increased use of third-party vendors for applications and data processing services is a business model that is likely t...